Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Program Instrumentation Framework for Automatic Verification

Jesper Amilon, Zafer Esen, Dilian Gurov, Christian Lidström, Philipp Rümmer, Marten Voorberg

TL;DR

The paper tackles the gap between expressive specifications and back-end verification tools by introducing program instrumentation as a formal, automatic framework that rewrites programs to eliminate hard constructs while preserving correctness. It formalizes an instrumentation operator (G,R,I), along with an automated application strategy, enabling automatic discovery of instrumented programs whose verification implies the original program’s correctness. Using a monoid-homomorphism-based approach, the authors develop operators for quantification over arrays and for aggregations, including non-cancellative and cancellative monoids, and provide soundness and (relative) completeness results. The Mono-Cera tool demonstrates practical impact by automatically verifying a significant set of SV-COMP programs involving array quantification and aggregation, outperforming several existing fully automatic back-ends on challenging benchmarks. This framework promises scalable verification for complex array properties and supports back-translation of witnesses and counterexamples, with future work aimed at expanding the operator library and applying the approach to broader data-structures and arithmetic forms.

Abstract

In deductive verification and software model checking, dealing with certain specification language constructs can be problematic when the back-end solver is not sufficiently powerful or lacks the required theories. One way to deal with this is to transform, for verification purposes, the program to an equivalent one not using the problematic constructs, and to reason about this equivalent program instead. In this article, we propose program instrumentation as a unifying verification paradigm that subsumes various existing ad-hoc approaches, has a clear formal correctness criterion, can be applied automatically, and can transfer back witnesses and counterexamples. We illustrate our approach on the automated verification of programs that involve quantification and aggregation operations over arrays, such as the maximum value or sum of the elements in a given segment of the array, which are known to be difficult to reason about automatically. We implement our approach in the MonoCera tool, which is tailored to the verification of programs with aggregation, and evaluate it on example programs, including SV-COMP programs.

A Program Instrumentation Framework for Automatic Verification

TL;DR

The paper tackles the gap between expressive specifications and back-end verification tools by introducing program instrumentation as a formal, automatic framework that rewrites programs to eliminate hard constructs while preserving correctness. It formalizes an instrumentation operator (G,R,I), along with an automated application strategy, enabling automatic discovery of instrumented programs whose verification implies the original program’s correctness. Using a monoid-homomorphism-based approach, the authors develop operators for quantification over arrays and for aggregations, including non-cancellative and cancellative monoids, and provide soundness and (relative) completeness results. The Mono-Cera tool demonstrates practical impact by automatically verifying a significant set of SV-COMP programs involving array quantification and aggregation, outperforming several existing fully automatic back-ends on challenging benchmarks. This framework promises scalable verification for complex array properties and supports back-translation of witnesses and counterexamples, with future work aimed at expanding the operator library and applying the approach to broader data-structures and arithmetic forms.

Abstract

In deductive verification and software model checking, dealing with certain specification language constructs can be problematic when the back-end solver is not sufficiently powerful or lacks the required theories. One way to deal with this is to transform, for verification purposes, the program to an equivalent one not using the problematic constructs, and to reason about this equivalent program instead. In this article, we propose program instrumentation as a unifying verification paradigm that subsumes various existing ad-hoc approaches, has a clear formal correctness criterion, can be applied automatically, and can transfer back witnesses and counterexamples. We illustrate our approach on the automated verification of programs that involve quantification and aggregation operations over arrays, such as the maximum value or sum of the elements in a given segment of the array, which are known to be difficult to reason about automatically. We implement our approach in the MonoCera tool, which is tailored to the verification of programs with aggregation, and evaluate it on example programs, including SV-COMP programs.

Paper Structure

This paper contains 35 sections, 8 theorems, 17 equations, 13 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Comparison to CAV paper
  3. Motivating Examples
  4. Array Aggregation
  5. Non-linear Arithmetic
  6. Automatic Program Instrumentation
  7. Contributions and Outline
  8. Instrumentation Framework
  9. The Core Language
  10. Syntax
  11. Semantics
  12. Instrumentation Operators
  13. Instrumentation Operators for Arrays
  14. Instrumentation Operators for Quantification over Arrays
  15. Instrumentation Operators for Aggregations
  16. ...and 20 more sections

Key Result

Theorem 1

For any target monoid $(M, \circ, e)$ and monoid homomorphism $h: D_\sigma^* \rightarrow M$ with implementations of $\circ$ and $h$ that terminate and do not assign to any variables, the instrumentation operator $\Omega_{\mathit{nc}}((M, \circ, e), h){}$ is correct, i.e., it adheres to the constrain

Figures (13)

  • Figure 1: Example program calculating the maximum voltage in a battery pack consisting of an array of batteries
  • Figure 2: Definition of the instrumentation operator $\Omega_{\mathit{max}}{}$
  • Figure 3: Program computing triangular numbers, and its instrumented counterpart
  • Figure 4: Instrumentation operator $\Omega_{square}$ for tracking squares
  • Figure 5: Syntax of the core language
  • ...and 8 more figures

Theorems & Definitions (29)

  • Definition 1: Instrumentation Operator
  • Definition 2: Rewriting a program statement
  • Definition 3: Monoid
  • Definition 4: Monoid Homomorphism
  • Definition 5: Cancellative Monoid
  • Definition 6
  • Theorem 1: Correctness of $\Omega_{\mathit{nc}}{}$
  • proof
  • Theorem 2: Correctness of $\Omega_{\mathit{c}}{}$
  • proof
  • ...and 19 more